Csrf Token And (Client Side) Cacheing
Rate Topic:

I am running into a problem with the CSRF protection and client side caching.

I use client-side browser caching of some of my pages using the last-modified header (though the CHttpCacheFilter extension). This is causing problems for some users with the comment box on those pages having outdated CRSF tokens.

Scenario:
1. User visits page which gets cached in their browser.
2. User returns to page later (after the csrf token cookie has expired). Sees cached version of page.
3. User attempts to post comment, gets CSRF error because the cached page's token does not match their cookie.

My first thought on fixing this (without eliminating the caching) is to use ajax to retrieve the new token and update the form. Is this safe to do, or would an ajax query to retrieve the token be a big security hole making the csrf protection moot? The same-origin policy may make it safe, but I'm not sure.